Category: DNSSEC

Jan 21

PowerDNS Releases Version 3.2 With Increased DNSSEC Support

Congratulations to Bert Hubert and the rest of the team at PowerDNS for their release 3.2 last Thursday that, if you scroll down through the release announcement and changelog is pretty much mostly about improvements to their already strong DNSSEC support!  The list of changes and improvements is rather impressive.

In speaking with Bert last week, he said the team there views DNSSEC as basically “done” now for the authoritative server end and is now moving to focus on what they can do to make DNSSEC easier for deployment in DNS resolvers.  We’re looking forward to seeing what the team does there.

Meanwhile, if you are a PowerDNS user, the new release will give you even more DNSSEC power… time to upgrade!

Jan 11

Still Time To Submit A DNSSEC Speaking Proposal for ICANN 46 in Beijing

As we mentioned previously, there will be another DNSSEC Deployment Workshop on April 10, 2013, as part of ICANN 46 in Beijing, China.

The program committee is still open to receiving proposals if you would like to be considered for the agenda.

These DNSSEC workshops at ICANN meetings are outstanding places to meet with people involved in DNSSEC deployment and to present ideas, case studies, new tools and more.

See our earlier article for a full list of the kinds of topics for which the program committee is seeking proposals.  If you have a DNSSEC-related idea for a talk that doesn’t fit into those areas, don’t be afraid to submit it as the program committee provides that list for guidance.

The workshop agenda is filling up quickly… but there is still room for a few more speaking slots if you get a proposal in soon.  You need to send your proposal to dnssec-beijing@shinkuro.com by January 15th to be considered.

And if you don’t want to present but are interested in attending, if you can get yourself to Beijing attendance at the DNSSEC Deployment Workshop is free.  The event will also be live-streamed out so you will be able to watch it remotely.

Jan 07

Verisign Labs DANE Demonstration Page and Test Sites

Are you developing software that uses the DANE protocol to combine the strong integrity of DNSSEC with the encryption of TLS/SSL?

If so, the folks over at Verisign Labs have stood up a demonstration page and a series of test sites at:

http://dane.verisignlabs.com/

They provide a number of different test cases that you can use to test your DANE support.  We’ve added their sites to our list of DANE test sites and we definitely thank Verisign for making them available.

Check the sites out… and lets see DANE support getting added to more applications!

Dec 31

Will Your New Year’s Resolutions Include IPv6? DNSSEC? Routing?

Resolutions 2012It’s the last day of 2012… are you making resolutions for the New Year?

If so, how about one of these:

  • Get IPv6 fully deployed in our network.
  • Set up an IPv6 test network in my home or office.
  • Read a book about IPv6.

or

or

  • Read one of these reports to better understand the Internet’s routing infrastructure.
  • Attend one of Deploy360′s ION Conferences in 2013.
  • Send Deploy360 some feedback about what you’d like to see them add to their site.

or

Or, of course, you could always go with:

  • Post more kitten videos online, because clearly there aren’t enough

What will your resolution be for 2013?

Photo credit: Lori Ann of MamaWit on Flickr.

Dec 28

Weekend Project: Add DNSSEC Validation to an OpenWRT WiFi Device

Looking for a weekend project?  Do you use a WiFi access point based on OpenWRT?

If so, here are some quick instructions about how to install the Unbound DNS resolver that supports DNSSEC validation into OpenWRT.  What this will do is change the DNS resolver in your access point to start performing DNSSEC validation… so as more domains get signed you’ll be able to know that you are, in fact, getting to the correct domain. Plus, with DNSSEC validation available you’ll be able to start playing around with very cool new technologies like the DANE protocol… who knows what you’ll be able to do with it!

The great thing is that it turns out to be a trivial process, which is great to see!

P.S. While you’re hacking on your devices, check out some of the other DNSSEC tools we are listing…

Dec 20

Call For Presenters – ICANN DNSSEC Deployment Workshop, April 10 in Beijing

Do you have some DNSSEC deployment experience you would like to share with the broader community? Could you present a case study of how you deployed DNSSEC resolvers within your network?  Have you created a new tool that automates or simplifies the usage of DNSSEC?

On April 10, 2013, there will be another “DNSSEC Deployment Workshop” at ICANN 46 in Beijing, China.  The recent DNSSEC workshop at ICANN 45 in Toronto was outstanding and had an excellent collection of case studies, statistics, new tools and more.

The program committee for the ICANN 46 workshop in Beijing has now issued a call for presentations and is seeking speakers on a variety of DNSSEC-related topics.  The full call for presenters is included below.

The deadline for submitting a proposal is JANUARY 15, 2013!

As noted below, you only need to send in a brief couple of sentences about what you would like to speak about.  If accepted you will then need to send in more information, slides, etc.  You need to send your proposal to dnssec-beijing@shinkuro.com by January 15th.

In full disclosure, I’ll note that I will be joining the program committee and so I will be one of the group of people reviewing proposals.  These events have turned out to be an excellent place for a gathering of the DNSSEC community and I would strongly encourage you to consider submitting a proposal!

As far as logistics go, attendance at ICANN 46 is free… you just need to get yourself to Beijing and pay for lodging, etc.  If you have never been to an ICANN meeting, the entire week is quite a fascinating view into the governance of domain names.

And here is the full call for presenters…

The DNSSEC Deployment Initiative, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), is planning a DNSSEC Workshop at the ICANN meeting in Beijing, China on 10 April 2013.  The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments.  For reference, the most recent session was held at the ICANN Toronto meeting on 17 October 2012. The presentations and transcripts are available at http://toronto45.icann.org/node/34375.

We are seeking presentations on the following topics:

1.  DNSSEC Activities in Asia Pacific

For this panel we are seeking participation from those who have been involved in DNSSEC deployment in the Asia Pacific region as well as those who have a keen interest in the challenges and benefits of deployment.  Key questions are to consider include: What would help to promote DNSSEC deployment?  What are the challenges you have faced when you deployed DNSSEC?

2. The Operational Realities of Running DNSSEC

Now that DNSSEC has become an operational norm for many registries, registrars, and ISPs, what have we learned about how we manage DNSSEC? What’s best practice around key rollovers? How often do you review your disaster recovery procedures? Is there operational familiarity within your customer support teams? Has DNSSEC made DNS more ‘brittle’ or is it just a run-of-the-mill operational practice? What operational statistics have we gathered about DNSSEC? Is it changing DNS patterns? How are our nameservers handling DNSSEC traffic? Is the volume as expected? Have we seen anything unusual?  Are there experiences being documented in the form of best practices, or something similar, for transfer of signed zones?

3.  DNSSEC and Enterprise Activities

DNSSEC has always been seen as a huge benefit to organizations looking to protect their identity and security on the Web. Large enterprises are an obvious target for DNS hackers and DNSSEC provides an ideal solution to this challenge. This session aims to look at the benefits and challenges of deploying DNSSEC for major enterprises. Topics for discussion:

  • What is the current status of DNSSEC deployment among enterprises?
  • What plans do the major enterprises have for their DNSSEC roadmaps?
  • What are the challenges to deployment for these organizations?  Do they foresee raising awareness of DNSSEC with their customers?

4. When Unexpected DNSSEC Events Occur

What have we learned from some of the operational outages that we have seen over the past 18 months? Are there lessons that we can pass on to those just about to implement DNSSEC? How do you manage dissemination of information about the outage? What have you learned about communications planning? Do you have a route to ISPs and registrars? How do you liaise with your CERT community?

5.  Preparing for Root Key Rollover
For this topic we are seeking input on issues relating to root key rollover.  In particular, we are seeking comments from vendors, ISPs, and the community that will be affected by distribution of new root keys

6.  DNSSEC: Regulative, Legislative and Persuasive Approaches to Encouraging Deployment

There are many models in discussion for encouraging the take-up of DNSSEC amongst TLDs. In some jurisdictions we have seen governmental edicts insisting that DNSSEC is deployed across a Top Level Domain. In others, we have seen reports produced for governments highlighting the lack of take up and the need for tighter control amongst operators. Recently, we have witnessed the consideration  of mandated DNSSEC signing of zones by some TLDs in order to gain access to newer premium domains.  Have any of these approaches worked in encouraging take up of DNSSEC? What role does a national government have in assisting deployment of DNSSEC? How are some of these measures perceived by registrars, DNS operators, ISPs and registrants?

7. DANE and Other DNSSEC Applications

Using DNSSEC as a means of authentication for http transactions is an exciting development of DNSSEC. What is the progress of the DNS-Based Authentication of Named Entities (DANE) initiative?  How soon could DANE become a deployable reality and what will be the impact of such a deployment, e.g. impact on traditional certification authorities (CAs)?

8.  Use of DNSSEC in the Reverse Space

This topic includes signed reverse zones, security products using reverse DNS lookup for DNSSEC validation?

9.  The Great DNSSEC Panel Quiz

Ever fancied pitting your wits against your colleagues?  Demonstrate your knowledge and expertise in DNSSEC in our Great DNSSEC Panel Quiz.

In addition, we welcome suggestions for additional topics.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-beijing@shinkuro.com by 15 January 2013.

Dec 13

Join The DNSSEC and IPv6 Communities On Google+

DNSSEC community on Google plusAre you are a Google+ user interested in DNSSEC or IPv6? Google+ recently introduced the capability to have “communities” of interest and so I went ahead and set up a “DNSSEC Community“. Separately, TJ Evans created an IPv6 community.

I’ll be honest and say I’m not entirely sure how these communities will be used yet. Perhaps they will be an active discussion area… perhaps it will be another place to post links related to DNSSEC or IPv6 that then get seen by others on Google+.

In any case, if you want to join the experiment, feel free to join the community on DNSSEC or the IPv6 community.

Dec 07

5 DNSSEC Training/Technical Sessions at USENIX LISA Next Week In San Diego

USENIX LISA 2012 logoWant to learn more about DNSSEC?  Next week at the USENIX Large Installation System Administration (LISA) Conference in San Diego there are going to be some excellent DNSSEC sessions in addition to our ION San Diego event happening on Tuesday.

Starting it off will be a half-day DNS and DNSSEC tutorial on Tuesday morning (right before our ION event) by Shumon Huque of the University of Pennsylvania.  It looks like a great way to spend the morning diving deep into DNS and DNSSEC.

Tuesday afternoon will be our ION San Diego conference where we have two sessions focused on DNSSEC on our agenda. First, Pete Toscano of ARIN will talk about ARIN’s support of both DNSSEC and RPKI. Second, I’ll be moderating what should be a truly outstanding panel on the topic of deploying DNSSEC.  We have a great group of panelists including Rick Lamb from ICANN, Infoblox’s Cricket Liu who is also the author of multiple O’Reilly books on DNS, Jim Galvin of Afilias (who operates multiple TLDs) and Roland van Rijswijk-Deij of SURFnet who has been very actively working on getting more validating DNS servers deployed.  The panel will be a questions-based, highly interactive discussion session that we expect to be very educational (and perhaps entertaining) for all attending.  I’ll have questions for the panel but there will also be plenty of opportunities for you to ask your questions, too.

(Did we mention that registering for ION San Diego is FREE? Just fill out the form and come in for great IPv6 and DNSSEC education.)

Jumping to Friday, there are then two invited talks about DNSSEC. First, Roland van Rijswijk-Deij of SURFnet will be discussing “DNSSEC: What Every Sysadmin Should be Doing to Keep Things Working“. Roland’s presentations have been both educational and amusing in the past, so I’m sure this should be a good one.  Following Roland and closing out the DNSSEC sessions next week, Scott Rose of NIST will be presenting “DNSSEC Deployment in .gov: Progress and Lessons Learned” where he’ll be providing the case study of the US government’s deployment of DNSSEC and relaying their lessons learned thus far.  Scott and the team at NIST have been doing great work monitoring the DNSSEC deployment and this session should be very helpful to those looking to understand how to deploy DNSSEC on a very large scale.

There you have it… lots of great DNSSEC material!  If you are in San Diego next week for USENIX LISA, check out these sessions and also come to our ION conference.  Great opportunities to learn what you need to do to get started with DNSSEC today!

Nov 30

Hash-slinger Helps You Easily Create TLSA records for DNSSEC / DANE

If you are looking to get started with the DANE protocol to provide higher security for SSL/TLS certificates, a basic question can be – how do you generate a TLSA record to put in your DNS zone file?

As we outlined before, there are a number of different tools you can use.  One that is perhaps the simplest, though, is a package for Linux from Paul Wouters called “hash-slinger” that is available at:

http://people.redhat.com/pwouters/hash-slinger/

One of the tools provided in the package is a command “tlsa” which does exactly what you might think – generate the TLSA record!  Paul showed how easy it is:

$ tlsa --create ietf.org
No certificate specified on the commandline, attempting to retrieve it from the server ietf.org.
Attempting to get certificate from 64.170.98.30
Got a certificate with Subject: /O=*.ietf.org/OU=Domain Control Validated/CN=*.ietf.org
_443._tcp.ietf.org. IN TLSA 3 0 1 54f3fd877632a41c65b0ff4e50e254dd7d1873486231dc6cd5e9c1c1963d1e4e

That’s it!  Now you can copy that record to your DNS zone file and you will be in the business of publishing a TLSA record!

Well, okay, it might not be that simple.  If your nameserver or DNSSEC-signing tool doesn’t yet support the TLSA record (outlined in RFC 6698), you might need to add a “-o generic” flag onto the command line to get the appropriate record. And you might want to add on more options, as Shumon Huque did in his walk-through of setting up a TLSA record.

The key is that this tool is out there and can help all of us interested in getting the DANE protocol more widely deployed to start getting TLSA records more visible. Kudos to Paul for developing the tool and making it available.

If you use SSL/TLS on your sites, and you have your domain signed with DNSSEC, why not go the extra step and get a TLSA record out there?

Nov 30

Hash-slinger – a tool for creating TLSA records for the DANE protocol

Hash-slinger is a package of tools created by Paul Wouters of RedHat to make it easy to create records for  the DANE protocol that will allow you to secure your SSL/TLS certificates using DNSSEC.

The package is available for Linux at:

http://people.redhat.com/pwouters/hash-slinger/

One of the tools provided in the package is a command “tlsa” that generates TLSA records (outlined in RFC 6698). Paul Wouters showed how easy it is:

$ tlsa --create ietf.org
No certificate specified on the commandline, attempting to retrieve it from the server ietf.org.
Attempting to get certificate from 64.170.98.30
Got a certificate with Subject: /O=*.ietf.org/OU=Domain Control Validated/CN=*.ietf.org
_443._tcp.ietf.org. IN TLSA 3 0 1 54f3fd877632a41c65b0ff4e50e254dd7d1873486231dc6cd5e9c1c1963d1e4e

You can now copy that record to your DNS zone file and be in the business of publishing a TLSA record.

If your nameserver or DNSSEC-signing software does not yet support the TLSA RRtype defined in RFC 6698, you can create a “generic” record type:

$ tlsa --create -o generic ietf.org
No certificate specified on the commandline, attempting to retrieve it from the server ietf.org.
Attempting to get certificate from 64.170.98.30
Got a certificate with Subject: /O=*.ietf.org/OU=Domain Control Validated/CN=*.ietf.org
_443._tcp.ietf.org. IN TYPE52 \# 35 03000154f3fd877632a41c65b0ff4e50e254dd7d1873486231dc6cd5e9c1c1963d1e4e

The “tlsa” command also has other options for generating other types of TLSA records.